RE: Load Balancing/HA switches

Wed, 23 May 2001 13:13:00 -0700 

I had similar thoughts about firewall load balancing recently.  I have
several PIX firewalls in failover config.  I am not pushing anywhere near
100Mbps (I know they couldn't pass that much if I did), but they perform
fine.  Instead of load balancing firewalls, I chose to have multiple
networks, that each have their own pair.  As the network grows, I will split
the network based on load.

The other problem I had with the LB's in front of the firewalls, was being
able to protect them.  The reason I have the firewalls is to control
traffic.  I can't control traffic to thing outside the firewalls.

Jason Lewis
http://www.packetnexus.com
http://www.packetnexus.com/kb/greyarts/
It's not secure "Because they told me it was secure". The people at the
other end of the link know less about security than you do. And that's
scary.



-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Smith, Steve
Sent: Wednesday, May 23, 2001 3:36 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: RE: Load Balancing/HA switches



I've been kicking this idea around for a while as well.  I wonder how
much redundancy I get by loading 2-3 firewalls with a single FireProof
switch.  It seems to move the failure point a little further outward,
that's all.

Many vendors advocate a "Firewall Sandwich" to provide HA to a firewall.
This means 2 load balancer/HA devices on the outside, and 2 load
balancers/HA devices for each security zone.  So a simple 3 zone
(private, public, DMZ) firewall-cluster (let's say 2 firewalls) uses 6
load balancer/HA devices.  At $15,000 ($90,000 total) that's not cheap
and I don't think I gain much in the way of redundancy in using this
configuration.  It adds considerable administration and upkeep to the
design.

It seems the only commercial FW product that has a MAC/IP fail over is
FW-1.  Not that I don't like FW-1 but it doesn't fit our organization
very well.  There's an annoying gap in FW technology in regard to
redundancy.  Actually that's not quite true, I can provide redundancy as
long as I don't mind adding 5X the hardware and $$$$$.  Frustrating but
there's only so much I can get done in a 80 hour work week...

>Does anyone care to share opinions about Radware's FireProof switches
>versus the CSS 11000 line available from Cisco?
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]

Reply via email to